Monday, September 24, 2007

Acrobat Reader security flaw exposes Windows to arbitrary exploits

A security researcher and self-described hacker known as "pdp" claims he has found a critical exploit in Adobe's Acrobat software that can compromise many Windows PCs simply by viewing a maliciously-crafted PDF file. The flaw affects both Windows XP SP2 and Windows 2003; Windows Vista, OS X, and Linux users are unaffected.

The bug affects Acrobat Reader, versions 8.1, 8.0, and 7, either when run in stand-alone mode or embedded inside a web page. Some work-alike PDF readers, such as the svelte Foxit Reader, are also affected but in a lesser manner: they display a confirmation dialog before the exploit is allowed to run.

The exploit uses a flaw in Adobe's scripting language to automatically run an executable program—the discoverer tested this by harmlessly running Calculator and Notepad in a video on his site. Yet, as noted, the exploit could be used to run any program, including a trojan or virus or a scripted attack. The malware in question would have to have already been downloaded onto the victim's computer, but this could be accomplished in various ways, including putting the executable inside a .ZIP file that includes the original PDF, or linking to a remote executable (the latter option would still trigger a warning by the operating system, however).